[Samba] Noob question: user moved to a OU dissapear from getent, but groups don't
rowlandpenny at googlemail.com
Tue Apr 21 14:37:33 MDT 2015
On 21/04/15 20:53, Daniel Carrasco Marín wrote:
> Thanks to both for answers.
> I'm using the latest version of wheezy-backports (Version 4.1.17-Debian)
> and in this server i don't need to map the AD users to linux tools (i'm
> doing tests before change anything in production servers), but i'm planing
> to use a File Server and a Print Server in separated machines and I need to
> have access to AD users. If I disable winbind entries on that servers then
> all OS tools like getent, chown, setfacl... cannot use the AD users (i've
> done some test and I've got a non existent user/group error), and I need
> it, then: can i use Winbind without problems in client machines?
You seem to want to set up a member server with an AD DC, if this is the
case, then yes, this is the recommended way, see:
I would also suggest that you test that you can get users ID from AD.
>>>>>>> netbios name = PDC.CASA.RED
>>>> netbios name = PDC
>>>> Dots are not allowed in host names.
The dots are not really the problem, the problem is that you are using
the entire FQDN for the netbios name.
> Ok, good to know it. Was copied from the old samba domain.
>>>> winbind normalize names = yes
> Why this entrie can be problematic? it changes the spaces in names for
> underscores, usefull with Cups (i can't add a group with spaces to allowed
> groups). I've curiosity.
This is not a problem, it makes winbind turn names like 'Domain Users'
into domain_users which is usable by Unix.
> For now I know that I've to change the netbios name in smb.conf before the
> classic upgrade (the old server netbios is wrong), I've to delete some tdb
> files, and I've to leave the smb.conf without change anything after the
The upgrade should leave you with a fully working AD DC, you shouldn't
have to alter anything, except perhaps adding template shell & template
homedir lines and/or adding shares.
> Tomorrow i'll do some test and i'll report here how it was.
> Thanks again to both and greetings!!
> 2015-04-21 20:08 GMT+02:00 Andrey Repin <anrdaemon at yandex.ru>:
>> Greetings, Daniel Carrasco Marín!
>>> I've migrated the domain copying all files in /var/lib/samba and
>>> from original domain to new domain, I've edit the smb file to change the
>>> "passdb backend" line to match the old server (because original is
>>> localhost and give me an error connecting), and then I run this command:
>>> samba-tool domain classicupgrade --dbdir=/home/user/samba
>>> --realm=casa.red --dns-backend=BIND9_DLZ /home/user/smb.conf
>>> After all the progress i change the bind config file to add the samba
>>> (matching with the Bind Version 9.9).
>>> When I connect to new domain all users and groups are in "Users" folder,
>>> then if i move all groups to new OU "getent group" works perfect, but if
>>> move some users to new OU then it dissapear from "getent passwd". I've
>>> some test and is strange because I've 100 users:
>>> - I've moved some users and have dissapear from getent (88 users).
>>> - Later i've move some other users and the result was 94 users.
>>> - Later without touch anything it goes back to 100 users.
>>> - Later again i've move another user and has changed to ~74 users (i
>>> don't remember the exact number).
>>> - And now it's back to 100 users and for now is not changing...
>> If you rely on "getent passwd" enumerating whole winbind userlist...
>> I have news for you - you shouldn't. Depends on the winbind configuration,
>> may or may not list users, and do so in a very lean manner.
>> If you REALLY want to know if certain users are accessible to the system,
>> specify user name or uid as a filter.
>>> Maybe is a problem of cache, but i don't know why the cache wasn't be
>>> updated after all i did. Even i've purged the winbind package and deleted
>>> the cache files to install a clean version of winbind and the problem
>>> Is an AD, but if I use the smb.conf provided by classicupgrade then
>>> don't show the AD users/groups (it don't have any info about Winbind).
>>> Maybe I should create a hybrid adding only the Winbind entries?
>>> Anyway, tomorrow i'll try because i've to revert again to the backup
>>> and is late.
>> As has been said, place your smb.conf back to where it was, and don't
>> touch it
>> unless you know what you are doing.
>> A number of issues apparent even for my untrained eye.
>>>>> Here's my samba cfg:
>>>>> workgroup = CASA
>>>>> realm = casa.red
>> Realm in all caps.
>>>>> winbind nested groups = No
>>>>> winbind separator = +
>>>>> winbind normalize names = yes
>> These will bite you. Soon.
>>>>> idmap config CASA : backend = ad
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 1000-20000000
>> Where's idmap range for CASA ?
>>>>> # Desactivar Cups en este servidor
>>>>> printcap name = /etc/printcap
>>>>> load printers = no
>> printcap name = /dev/null
>> printing = BSD
>> With best regards,
>> Andrey Repin
>> Tuesday, April 21, 2015 21:01:29
>> Sorry for my terrible english...
More information about the samba